This nasty bug has many attack vectors, but we are going to focus on arguably the most widespread one: HTTP. Getting an ExtraHop appliance to detect attempts at exploiting this bug over HTTP is not difficult, and so I made a bundle to do just that. This bundle adds an AI Trigger to record whenever an HTTP Header containing an exploit attempt is observed and stores both the client and server IP so you know where it came from and where it was destined; a Custom Page to chart these attempts over time; and an Alert to let you know when a attempt is made.

What you get

Triggers (1): HTTP Shellshock

Pages (2): HTTP Shellshock (Network-wide and per-Device)

Alerts (2): HTTP Shellshock Sent and HTTP Shellshock Received

Caveats

There are a few caveats of which to be aware:

The trigger cannot detect vulnerable hosts if they are not talking -- though this at least means they are not actively being exploited!

The trigger doesn't detect whether the exploit attempt was successful -- it merely sees that one was attempted.

The trigger only detects attempts for HTTP (and HTTPS if SSL decryption is enabled and occurring on your appliance).

Installation Instructions

Download the bundle.

In DE, import the bundle -- the trigger and page will automatically be assigned where they need to be, but you will need to enable both of them. Once some traffic matching the exploit is passed, the chart on the 'HTTP Shellshock' page should show activity.

In the full product, import the bundle -- enable and assign the trigger, alert, and page to whatever devices you'd like to monitor for exploit attempts for Shellshock over HTTP. Once some traffic matching the exploit is passed, the chart on the 'HTTP Shellshock' page should show activity and an alert should fire.

Community discussion about this bundle

ExtraHop uses cookies to improve your online experience. By using this website, you consent to the use of cookies. Learn More